10-22-2007 01:59 AM - edited 02-21-2020 01:43 AM
We have a Cisco Pix 515e (with Quad card for 4 DMZ's), we are thinking of upgrading as the CPU can get high etc. What is a the new model to go for that does that same job but gives us more CPU and memory?
10-22-2007 05:53 AM
Have a look here...
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
10-22-2007 06:00 AM
Thanks, so if I was to buy a new firewall for an upgrade it would be an ASA and not another Pix?
10-23-2007 01:42 AM
YES, your are right, ASA is replacement of PIX, since PIX does only the firewall/vpn part, where as ASA does IDS,IPS,Anti-Virus engine plus the PIX features.
10-23-2007 07:15 AM
Our pix has a quad card to give us 4 DMZs can the ASAs do this?
10-23-2007 11:14 AM
You can use either ASA5510-SEC-BUN-K9 which has 5 Fast Ethernet interfaces or ASA5520-BUN-K9 that has 4 Gigabit Ethernet interfaces + 1 Fast Ethernet interface.
Take a look here - http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd802930c5.html
At the same time you can use VLANs to create multiple sub-interfaces from a single DMZ on ASA.
As an example - ASA5510-BUN-K9 (has 3 Fast Ethernet Interfaces) can support up to 50 VLANs with the Standard and up to 100 VLANs with SecurityPlus license.
So in your situation you will need 4 VLAN interfaces to be configured on the single physical DMZ port and then connect this DMZ port to any VLAN-capable switch.
Hope this will help.
-- Eugene
10-23-2007 11:31 AM
I think you describe my current pix setup, I have 4 ports for the DMZs, each of the 4 ports goes into a separate vlan on my switch. The fast ethernet 0 goes into another vlan where my internet router is and fast ethernet 1 goes to anyother vlan where my lan is. This is 6 ports the 5520 only has 5 how can I get round this?
Thanks
10-23-2007 12:18 PM
You need only 3 physical ports:
Inside, outside and DMZ
On a single physical DMZ interface you can have multiple logical VLAN interfaces.
On the switch side you need to configure the switchport as 802.1q trunk.
Here's the link to the documentation - http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006
-- Eugene
10-23-2007 12:32 PM
1.) So basically you can have the Fast Ethernet port for the Internet VLAN, one of the Gigabyte ports for the LAN VLAN and the 3rd to a switch which can somehow split a single gigabyte into 4 DMZ's?
2.) Do all Cisco switches do this, I have a 2950, 3550 and a 3560 that the current 4 physical DMZ ports go into?
3.) I suppose if we wanted to keep this structure we could get more ports for a 5520?
10-26-2007 11:28 AM
You can have multiple VLANs from one physical interface by creating "sub-interfaces". The only catch is the interface at the other end (on your switch for example) would have to be configured as a trunk port to allow multiple VLANs.
10-26-2007 11:36 AM
It will be a Cisco 3750 switch, what will I have to into the switches config?
10-26-2007 01:13 PM
Go into interface config and add these commands in:
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
10-26-2007 11:52 PM
Hi, is that put on the global interface or on the port that connects to the ASA?
Our current pix has a quad card for our 4 DMZs these 4 ports just plug into a switch with 4 Vlans, each port has an interface IP so the pix is rather like a router. How will the ASA work? Can we give the 4 VLANs IPs?
10-29-2007 08:53 AM
That will be placed on the interface of the switch connected to the ASA. Basically what's going to happen is that you configure that switch port to trunk (to allow multiple VLAN traffic through) and then on the physical port on the ASA, you then create new logical subinterfaces for each additional gateway you need (easier to see and do on the asdm). For example e0/0 and e0/1 are used as Outside and Inside so e0/2 is available. I'll then create a new interface for say, VLAN 17 with its appropriate IP address. You'll then see a new interface called e0/2.17 or however you name it.
10-29-2007 10:17 AM
Great, and in you example you use VLAN 17 on e0/2 (which links to the switch) if I want to add another VLAN down e0/2 I can do this, as I would need 4 for my DMZ's?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide